ALCASAR, an open source Network Access Controller based on Mageia

“ALCASAR is a free Internet Access Controller for private or public consultation networks. It authenticates and protects users’ access regardless their connection type, or equipment (PC, smartphone, game console, TV sets, etc.).”

I met the ALCASAR guys in 2012, during a French event and I discovered they were using Mageia in a professional project. Then the time ran quickly and finally here we are. Richard Rey agreed to answer our questions about ALCASAR and Mageia.

– Can you introduce yourself? What is your technical background and why did you start contributing to ALCASAR project?

RR: Richard REY (AKA: Rexy). I am the Deputy Director of the computer security research laboratory (C + V) ° at ESIEA, a “school of digital technology engineers”. This school, which is an non-profit association (following to the French “law 1901”), is certified CTI (Commission of the Titles of Engineers). It is located on three campuses (Paris, Ivry and Laval).

I left the French army four years ago after a 27-year career in the fields of digital telecommunications, electronic warfare and computer fighting.

The genesis of the ALCASAR project: While I was an RSSI in a major Command, I was confronted with the installation of a technical tool on a large number of geographical sites. It had to meet the requirements of the Act for the Confidence in the Digital Economy (LCEN). This law requires that all connections made by Internet users must be logged for one year. The objective on my side was clear: protect the responsible of Internet networks (those who pay the subscription) from judicial inquiries related to the indelicacy of some connected users (incitement to racial hatred, procuring, child pornography, Scams, extortion, apology for terrorism, etc.).

After several unsuccessful searches (incomplete products, too complex or “out of budget”), I decided to create a team and we designed ALCASAR (Free Application for Secure Access Control and Authenticated to the Network).

– Can you describe the ALCASAR project, its community and its features?

RR: From the beginning of the project, we have enforced quite strong technical and ethical constraints: all the traces of connection of all the protocols must be stored for one year (LCEN). They must be available only to the competent authorities (CNIL). Any digital trace must integrate the notion of volume, duration and must make it possible to find a “human” user (a human is not an IP address …).

The heart of the project was developed around four main building blocks: the Radius freeradius server, the NAC (Network Access Controller) coova-chilli, the RDBMS mariadb and the firewall netfilter.

After adding apache and PHP to propose a user-friendly Web administration interface, the project got known outside the military sphere.

Faithful to our military roots, the community is organized in a very pyramidal way. Only three or four contributors can interact directly with our SVN. The others propose their contributions to those four “privileged” users. About twenty people of all nationalities are currently registered on the project (a dozen are active).

– On your home page, it says that Mageia is part of your software ecosystem. Why this choice?

RR: At the beginning of the project, I used the Mandrake Linux distribution. That was all that I was looking for both on professional and personal sides. I especially appreciated the rigorous security updates (no nasty surprises) and the “Made In France” side. We remained loyal and naturally evolved ALCASAR on Mandriva Linux and then on Mageia. The next version 3.1 of ALCASAR will be installed on Mageia 5.1. We will naturally continue this cycle with Mageia 6.

– Do you have an idea of today’s ALCASAR users?

RR: In terms of volume: no. In terms of use, we know that French and foreign ministries are using it. Some companies have deployed it and have sometimes included it in their security policy. We also know that ESN install and administer it on behalf of their clients. We have a lot of returns from hoteliers, providers, associates, camp managers, holiday clubs …

– What are the relationships between ALCASAR and Mageia? Do you contribute to Mageia? How can Mageia help you?

RR: ALCASAR only runs on Mageia and there is no question for now to change that. This allows us to devote ourselves to the evolutions of functionality rather than waste our time adapting it for other distributions.

We contribute quite little (too little to my liking) to Mageia. We report the bugs that have an impact on the twenty software packages that we do include in ALCASAR. We package some software that we are, in my opinion, the only ones to use (HAVP, Netflow core probe, coova-chilli).

In France (and in other europe countries) there is a big difference between “traceability” and “filtering”. The traceability is written in the law in order to ease the investigations. In ALCASAR, the filtering system is needed for institutions welcoming young people. If you’re not in that case, you have not to enable the filtering system. There is no goal to censore anyone.